Fine imposed upon Google
Ruling in the proceedings pursuant to Wifi scanning is legally binding
The Hamburg Commissioner for Data Protection and Freedom of Information has imposed a fine of 145,000 Euros upon Google Inc. due to illegal recording of Wifi networks.
From 2008 till 2010 Google not only took photographs of streets and houses for its service Google Street View, but also at the same time captured wireless networks within range of the vehicles used for that purpose. As was admitted by Google in response to an inquiry from the Commissioner for Data Protection, content data of unencrypted Wifi connections had also been recorded in the course of this activity.
This was confirmed by the evaluation of the copies of the data provided by Google for the purpose of investigating the issue. Among the information captured in passing were also large quantities of personal data of different quality: for example, e-mails, passwords, photos and chat protocols.
After the facts of the case had been revealed in the year 2010, Hamburg's Department of Public Prosecutions initiated preliminary investigations, which were discontinued in November 2012. The Hamburg Commissioner for Data Protection and Freedom of Information thereupon took up the matter once again in the context of regulatory offence proceedings.
These proceedings have now been brought to a conclusion with the legally binding decision that Google Inc. had, negligently and without authorisation, captured and stored personal data. At the same time as being notified of the fine, Google was also instructed to delete completely the illegally captured data. The deletion of the data has been confirmed to the Hamburg Commissioner for Data Protection and Freedom of Information.
"In my estimation this is one of the most serious cases of violation of data protection regulations that have come to light so far. Google did cooperate in the clarification thereof and publicly admitted having behaved incorrectly. It had never been the intention to store personal data, Google said. But the fact that this nevertheless happened over such a long period of time and to the wide extent established by us allows only one conclusion: that the company internal control mechanisms failed seriously," so says Johannes Caspar, the Hamburg Commissioner for Data Protection and Freedom of Information.
Cases like this make it clear that the sanctions provided for by the Federal Data Protection Act are totally inadequate for the punishment of such serious breaches of data protection. For multinational companies, fines of up to 150,000 Euros for negligent and of up to 300,000 Euros for intentional breaches are unlikely, as a general rule, to have a deterring effect. Caspar: "As long as violations of data protection laws are punishable by discount rates, the enforcement of data protection laws in a digital world with its high potential for abuse will be all but impossible. The regulation currently being discussed in the context of the future European General Data Protection Regulation, whereby a maximum fine of 2% of a company's annual turnover is provided for, would, on the other hand, enable violations of data protection laws to be punished in a manner that would be felt economically."